Contents

Warning for BlackBerry Forensics

BlackBerry devices come with password protection. The owner has the capability to protect all data on the phone with a password. The user may also specify the amount of attempts for entering the password before wiping all data from the device.

If you exceed your password attempts limit (defaults to 10, but you can set it as low as 3), you will be prompted one last time to type the word BlackBerry. The device will then wipe. It will be reset to the factory out-of-the-box condition, and the password reset. You will lose everything in the device memory, with no possibility of recovery. It will not reformat the microSD card, since that's not part of the factory configuration. The phone will still be usable, and the operating system will be unchanged. So this technique cannot be used to roll back from an OS upgrade problem.

Obviously this is a serious problem if you need to perform forensics on the device. The best work around is to work with the owner of the device and hopefully get them to disclose the password.

Acquiring BlackBerry Backup File (.ipd)

1. Open Blackberry’s Desktop Manager
2. Click “Options” then “Connection Settings”
4. Select “USB-PIN: 2016CC12” for connection
5. Click “Detect”, then it should show a dialog box saying it found the device
6. Click "OK" to return to the main menu
7. Double click “Backup and Restore”
8. Click "Backup"
9. Save the .ipd file

Blackberry Protocol

Here is a useful link to the Blackberry Protocol as documented by Phil Schwan, Mike Shaver, and Ian Goldberg. The article goes into great description of packet sniffing and the protocol as it relates to data transfer across a USB port.